Enterprise Authorization Strategies - Intro to Grouper

Transcript

1. Introduction to Grouper Chris Hyzer University of Pennsylvania and Internet2

   Bill Thompson Unicon

2. Agenda • Part I • Intro, basic concepts • Grouper

   Quickstart • Part II • Grouper in Action @ Penn • Qualtrics, Confluence, Kuali,... • Part III • Hands on Grouper • Folder, Groupers, Roles • Grouper Loader, Subject API,...

3. CIFER, Shib, CAS, OR, CPR, Grouper? • Name, Role, Institution

   • CAS? Shib? CAS/Shib? • Person Registry? OR? CPR? • Enterprise Directory? OpenLDAP? AD? • Group/permission management today?

4. Identity & Access Management (IAM) • Identity • You •

   Authentication • Log in • Authorization • What you can do • Access management • Map policy & authority to authorization

5. Access management strategy • Tools & processes to translate IAM

   concepts into typical campus environment • Which people? • What systems & business processes? • What policies? • What purposes? • Whose authority?
6. None

7. Why have an access management strategy? • Lower cost and

   time to deliver a new service • Simplify and make consistent by using the same group or role in many places Physics 101 Course Group Lab Reservations Wiki Access Email Group

8. Additional benefits of access management • Empower the right people

   to manage access. Take central IT out of the loop. • See who can access what, with a report rather than a fire drill

9. Access management stages: authorization > authentication 1. Start out using

   a single user attribute, affiliation, in LDAP or Active Directory. This lets services implement simple access policies. student faculty staff Affiliation guest Service Staff portal

10. Access management stages: authorization > authentication 2. Enrich & centralize

    access management with groups determined from systems of record • Courses, financial accounts, departments • Define service-specific access policies in the centralized access management system Math Faculty Group Math Faculty Resources can access

11. Access management stages: authorization > authentication 3. Get central IT

    out of the loop • Distributed management • Exceptions • Departmental applications Math Faculty Group Math Faculty Resources can access Math Support Group +

12. Access management stages: authorization > authentication 4. Increase integration of

    access management • Direct integration with applications using web services • SOAP/REST/ESB • Roles & privileges to support applications more deeply For Math Department, while John works there HR Admin Role

13. The Grouper Story • Open source, community-driven project of the

    Internet2 Middleware Initiative • Initial release v0.5 in December 2004

14. The Grouper Story • Key aims • Delegation and distributed

    management • Integration with most any existing Identity Management infrastructure Existing IdM Infrastructure

15. The Grouper Story • Grouper v2.X expanded beyond groups •

    Roles & permissions • Rules - If removed from group A - then remove from group B HR-Admin

16. Contributing organizations, so far • Brown University • California Polytech

    • Cardiff University • Campus Crusade for Christ International • Cornell University • Duke University • Freie Universität Berlin • GIP RECIA • LIGO • Newcastle University • Northern Arizona University • Ohio State University • SURFnet • University of Bristol • University of Chicago • University of Kansas • University of Memphis • University of Pennsylvania • University of Washington • University of West Bohemia

17. Latest addition to the community • Unicon offers IT Services

    for Education, Specializing in Open Source • Cooperative Support Program for Grouper, Shibboleth, CAS, uPortal, uMobile, Sakai • Annual subscription, 4 levels, provides access to and funds dedicated support team who work directly with the open source projects

18. Grouper: core concepts Folders in hierarchies Group Direct members Subgroup

    Indirect members Composite groups = U

19. Security & delegation • Create groups • Create subfolders •

    Admin • Update membership • Read membership • View group • Opt-in • Opt-out Delegation

20. Beyond groups... Attributes Roles Permissions Attribute definition Permission definition Role

    inheritance Delegation model extends that for Groups

21. Access management lifecycle support • Membership start & end times

    (optional) • Move or copy folders, groups, etc • User audit • Point in time audit • Rules

22. Distributed Authorization Management Different groups, different authorities VPN only uses

    “vpn:authorized” eligible denied student staff closure locked vpn:authorized postdoc = ̶ IRB Core business systems IRB Office IT Security Team IdM system

23. Only Active faculty members can login to the grading application

    Institution community groups Faculty SOR Payroll System Loader Excludes Includes Faculty Grading Faculty Role Includes Excludes Login permission Application groups and permissions Action: Assign Deprovisioning

24. Active IT support staff can manage applications that they work

    on Institution community groups IT org Payroll system Loader App Support Role Col permission App groups / permissions WS get permissions Action(s): restartTomcat restartApache deploy viewLogs all Col permission App1 permission IT org IT org Composite Intersection userA userA userA userA Fine-grained Permissions Management

25. Grouper Shell Groups Roles Permissions Web Services REST/SOAP Web UI

    Grouper Loader Provisioning Service Provider Notifications XMPP/HTTP Delegation Rules Policy Audit Change Log Subjects Subject API JNDI/JDBC LDAP/AD Person Registry ESB Shibboleth IdP Grouper Plugin Systems of Record Applications Grouper Client Atlassian Jira Confluence Grouper Plugin Kuali Rice Grouper Plugin Google Apps* Any SaaS Applications LDAP/AD Grouper Admin Groups, Roles and Permissions Management * PSP connectors may be needed

26. Provisioning Authorization Data

27. Ad-hoc Collaboration Communities Creates various groups in Grouper

28. None
29. None
30. None

31. Tom Barton’s UChicago group memberships

32. dn: uid=tbarton,ou=people,dc=uchicago,dc=edu ucismemberof: uc:org:nsit:integration:techag ucismemberof: uc:org:nsit:srdirs ucismemberof: uc:org:nsit:integration:iteco:wr ucismemberof: uc:applications:confluence:NSIT:esx

    ucismemberof: uc:org:nsit:integration:iteco:rd ucismemberof: uc:applications:confluence:NSIT:Directors ucismemberof: uc:org:nsit:staff ucismemberof: uc:applications:confluence:NSIT:Everyone ucismemberof: uc:org:nsit:integration:shib_group ucismemberof: uc:applications:bulkmail:users ucismemberof: uc:org:library:gnet:admins ucismemberof: uc:applications:gnetid:admins ucismemberof: uc:applications:wireless:authorized ucismemberof: uc:applications:cmail:users:authorized ucismemberof: uc:reference:affiliations:effective:staff LDAP entry for uid=tbarton,ou=people,dc=uchicago,dc=edu ucIsMemberOf : uc:org:nsit:srdirs ucIsMemberOf : uc:reference:affiliations:effective:staff Memberships become LDAP attributes ucIsMemberOf : uc:applications:vpn:authorized

33. UChicago applications managed by Grouper, so far aams Ad Astra

    Bulkmail Business Objects Enterprise Chalk CityRyde Cmail cnet Confluence Directory Administration dmca Facilities SIMS gnetid grouper im isx IT Ecosystem Lab School LDAP lists Mail Forwarding Mail Quarantine Microsoft Exchange modem pool monitoring myUChicago Non-po Onecard online directory password expiration Service Now sharepoint shibboleth statements portlet SVN tank unifiedcomm versions virtualization voip vpn web hosting webproxy webshare webspace wireless

34. Roadmap – v2.2 Release Item Description 2.2 New Grouper UI

    Provide new UI capabilities that better meet community needs. 2.2 Services in Grouper Tag objects in Grouper so that folders, groups, permissions can be associated with a "service“ to make it easier for users to perform tasks in Grouper. 2.2 Improved Grouper configuration Make Grouper more easily deployable and upgradeable across environments with cascaded config files and expression language in config file entries. On- going Grouper Core Continue adding capabilities to meet requirements from the field. On- going Community contributions Solicit and publicize community contributions of extensions and complements to Grouper.

35. Roadmap – v2.2 Release Item Description 2.2 Legacy attribute migration

    Migrate legacy attributes into the new attribute framework. 2.2 Unix GID management Built-in support for managing unix GIDs

36. Penn and Grouper • Used Grouper centrally at Penn for

    5 years • 120k groups • 2.7 million immediate memberships • 10k permission assignments • We use: UI, WS, GSH, loader, LDAP, client, external users, workflow with Kuali Rice edoclite, heavily delegated

37. Penn Grouper project team • ~20% technical person • ~20%

    data analyst • Small requirements from various other people: manager, sysadmins, ldap admins, etc • Note: during upgrades time requirements increase, these are average times

38. Example application: Qualtrics • Cloud survey tool which is not

    licensed to everyone at Penn • People in various schools or centers see a different branded site • Loader manages affiliate groups • Responsible parties can add ad hoc members • Shib entitlements communicate rights to

39. Example application: Qualtrics (continued)

40. Example application: custom app admin console • Custom app framework

    does groups (pre-dated Grouper) • Integrated so groups could be linked externally to Grouper • For admins (all powerful), it is required that users be in the

41. Example application: custom app admin console (continued)

42. Example application: Confluence wiki • Confluence (our version at least)

    can have external groups (hopefully ldap) • We externalized users and groups so we have single signon, and ability to use Grouper features: • Loader - Auto-deprovisioning • Reuse groups in other apps • Central report to see who has what • Decentralized management

43. Example application: Confluence wiki • Note: we have a rule

    for auto-assigning privileges

44. Grouper loader • Daemon that periodically sync’ed external sources with

    Grouper • Can work for groups or permissions (e.g. org chart) • SQL or LDAP sources (note: PSP does LDAP too) • Grouper admins can configure jobs based on attributes

45. Grouper loader (continued) • Can sync multiple groups from one

    query/filter (e.g. courses or orgs) • Penn has 92 SQL Grouper Loader jobs • Generally we run these daily, though some run a handful of times throughout the day

46. Provisioning • Grouper PSP can provision grouper data to LDAP

    or AD (other targets can be created) • Grouper change log can send notifications to XMPP, ESB, etc (other targets can be created) • Generally we aim for periodic full refresh, with near real time updates

47. Auditing • “User audit” will audit who does what •

    Point-In-Time auditing will keep track of the history of the repository • Who was in this group at a point in time (or time range) in the past • Who are all the people who have been in this group • What groups was this person in at a point in the past (or time range)

48. Grouper Kuali Rice edoclite workflow

49. • In 2009 Penn wanted to convert paper access management

    forms to eForms Paper form screenshot

50. Paper form screenshot (continued)

51. Paper form screenshot (continued)

52. Paper form screenshot (continued)

53. Paper form screenshot (continued)

54. Paper form existing list

55. • Autofill personal information • Common includes (privacy statement) •

    Fill out form on behalf of someone else • Org chart picker for data access • Person picker from group (employee) • Notification to requester when complete • Report on form data • Should require no Java to create forms Requirements

56. • Route to members of Grouper group • Route to

    selected group (pick school) • Ability to return to previous route node • Route to multiple groups at once • Conditional routing • Dynamic routing to someone entered on form Routing requirements

57. • Submitters can see current and past forms • Approvers

    can see current and past forms • Certain people can edit certain forms Security requirements

58. Kuali Rice overridable services Rice request grouperRice.jar Kuali DB Rice

    server Grouper Registry Grouper WS server Grouper.client.properties grouperClient.jar

59. eForms workflow with Grouper Initiator fills out form Grouper Registry

    Kuali DB Get members to route to and emails Grouper WS Routes to approver group Routes to approver groupN Final Add a member to a Grouper group/role and/or assign permissions On login to Rice, get subject details Archive the document data, and workflow history One in group approves 1 3 4 5 Grouper UI Person / org pickers 2

60. Salary management eForm

61. Salary management eForm (continued)

62. Salary management eForm (continued)

63. eForms demo workflow Initiator fills out form If on behalf

    of someone else, they need to approve it, unless it is a ‘remove access’ 1 4 Supervisor (person picker) 2 On behalf of remove? 3 No Yes Grouper group selected from available schools Note: supervisor cannot be the same as ‘On behalf of’ School admin HR Payroll HR and payroll could approve in parallel in future 8 Operations Grant access that isn’t automatically provisioned Change KEW initiator to ‘on behalf of’ user 7 Data admin Assert that form is valid 9 Data admin Assert that privileges were granted correctly Final Send email to ‘on behalf of’ user 10 5 6

64. Grouper Rice demo •Demo movie

65. Grouper Rice group provisioning •Grouper can provision groups and permissions

    when forms are complete, so generally Penn does not use it that way

66. Grouper and external users

67. Penn’s Secure Space • Penn launched Secure Space in Fall

    2010 • Initially it was for PennKey holders only • 2011 we enabled external users • 2013 we will retire this service in favor of Box.net

68. Penn’s Secure Space (continued) • Secure Space is built on

    Grouper with three groups per space: admins, users, readonly • When logging in, the grouper client / WS is used to cache the list of groups for user • On create/delete space, GC/WS is used to create/delete groups • Group memberships are managed via the membership lite UI screen

69. Penn’s Secure Space (continued) • Penn’s Grouper has rules to

    only allow external users in certain SS folders • Penn’s Grouper external users must be invited to be able to register • SecureSpace uses InCommon • EPPN is required for external users • External users self-register their name, email, institution

70. Penn’s Secure Space (continued) • Penn installed Shibboleth Discovery Service

    (DS/WAYF), customized: • Pennify • Support channel • Make it easy for Penn users • Recommend ProtectNetwork for users who don’t have an InCommon account which releases EPPN

71. Penn’s Secure Space (continued) • Grouper shows external users with

    different icon, and description: • [unverifiedInfo] First Last - institution [externalUserId] [email protected] • External users do not show in results for groups which do not allow external users • Demo

72. Thanks! Further information: Infosheets, mail lists, wiki, downloads, etc: www.internet2.edu/grouper

    Grouper demo server: https://grouperdemo.internet2.edu/